Thanks Stefan, what I didn't mention is that half way through our network
engineer decided to implement a change that silently broke Kerberos
authentication leaving me chasing my tail on the wrong problem. Anyway,
time to move on - have a great day.



On Mon, Dec 5, 2016 at 4:39 PM Stefan Uygur <suy...@firstderivatives.com>
wrote:

> Glad you solved your issue.
>
>
>
> I’ve been there myself so don’t worry about it at all.
>
>
>
> *From:* Callum Guy [mailto:callum....@x-on.co.uk]
> *Sent:* 05 December 2016 16:37
> *To:* Stefan Uygur; Florence Blanc-Renaud; freeipa-users@redhat.com
>
>
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Stefan,
>
>
>
> Thanks for your input, I am able to clarify that I wasn't simply copying
> and pasting in - the dollar sign was included in my password rather than
> the example. But yes, no denying that my command line skills are to blame.
>
>
>
> Further to this problem I am happy to report that the issue is now solved.
> My main issue was the dollar sign meaning that I had updated the DM
> password incorrectly for FreeIPA. Secondly I appear to have caused an issue
> with SSSD and it was a restart of this service which finally resolved the
> issue for me. I doubt there is much to be learnt from my issue - definitely
> user error.
>
>
>
> Thanks so much for your responses, very much appreciated. Apologies for
> taking up your time.
>
>
>
> Callum
>
>
>
>
>
>
>
> On Mon, Dec 5, 2016 at 2:48 PM Stefan Uygur <suy...@firstderivatives.com>
> wrote:
>
> Hi,
>
> I think you are copying and pasting the exact same commands from the
> article, which is of course a wrong approach. Never copy/paste from web to
> execute on your server. That $ signs indicates you can give any name you’d
> like.
>
>
>
> Follow this article here:
>
> https://access.redhat.com/solutions/308623
>
>
>
> Stefan
>
>
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Callum Guy
> *Sent:* 05 December 2016 13:38
> *To:* Florence Blanc-Renaud; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Directory Manager Password Change
>
>
>
> Hi Flo,
>
>
>
> I have indeed executed every step in order, including the one you have
> indicated.
>
>
>
> The password I has used included a dollar sign and this meant that echo
> -n $DM_PASSWORD > /root/dm_password didn't work as I had expected meaning
> everything after the dollar was interpreted as a variable and was missing
> in the file. I have corrected this and performed the full process again,
> starting with the 389 reset however it is still not working correctly.
>
>
>
> I remain in the same state as before where the admin password has not been
> changed - this confuses me as my understanding is that admin only exists as
> the FreeIPA web admin user whose password I can change separately. Am i
> misunderstanding, is there another admin user within FreeIPA which is
> directly linked to the directory manager?
>
>
>
> Having run out of ideas I have just executed ipa-server-upgrade however
> this hasn't helped. My situation remains as follows:
>
>
>
> *Works:* ldapsearch -x -D "cn=directory manager" -w  *NEW_DM_PW  *-s base
> -b "" "objectclass=*"
>
> *Fails:  *ldapsearch -h localhost -ZZ -p 389 -x -D
> "uid=admin,ou=people,o=ipaca" -w *NEW_DM_PW *-b "" -s base
>
>
>
> Are you able to offer any other ideas?
>
>
>
> Other information:
>
> I can confirm that cacert.p12 has been updated by the actions performed.
>
> File /etc/pki/pki-tomcat/password.conf now contains a new line internaldb=
> *NEW_DM_PW *(as per instruction 1 on FreeIPA link)
>
>
>
> Best Regards,
>
>
>
> Callum
>
>
>
>
>
> On Mon, Dec 5, 2016 at 1:08 PM Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
> On 12/05/2016 01:05 PM, Callum Guy wrote:
> > Hi All,
> >
> > I have been testing FreeIPA and now plan to migrate to production use -
> > thanks for creating such a great application!
> >
> > During the test phase we have been using simple passwords for the admin
> > and directory manager users however we need these changed before moving
> > into production. I believe we can change the admin password using the
> > web interface however as I understand it amending the directory manager
> > password is not so straightforward.
> >
> > I have found this
> > link
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> however
> > I am unsure if this is the correct procedure for our installation -
> > certainly i am having no luck so far.
> >
> > We have the following setup:
> >
> > FreeIPA 4.2.0 - single master server (no replicas), multiple clients
> > CentOS 7.2
> >
> > I have tried the following steps in order:
> >
> >
> http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
> > followed by
> > https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> >
> > After completing that I am no longer able to authenticate user logins.
> > The below covers my current situation:
> >
> > This works:
> > ldapsearch -x -D "cn=directory manager" -w NEWPASSWORD -s base -b ""
> > "objectclass=*"
> >
> > This does not work:
> > ldapsearch -x -D "cn=directory manager" -w OLDPASSWORD -s base -b ""
> > "objectclass=*"
> >
> > This works:
> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> > -W -b "" -s base
> > OLDPASSWORD
> >
> > This does not work:
> > ldapsearch -h localhost -ZZ -p 389 -x -D "uid=admin,ou=people,o=ipaca"
> > -W -b "" -s base
> > NEWPASSWORD
> >
> Hi,
>
> your commands show that the Directory Manager password was properly
> modified, but not admin's password. Did you run the step 3 Updating PKI
> admin password of the procedure [1]?
> ldappasswd -h localhost -ZZ -p $CA_PORT -x -D "cn=Directory Manager" -W
> -T /root/dm_password "uid=admin,ou=people,o=ipaca"
>
> Flo.
>
> [1]
>
> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password#3._Update_PKI_admin_password
>
> > So i'm i a mixed up state! Is anyone able to offer advise on resolving
> > this issue?
> >
> > Thank you,
> >
> > Callum
> >
> >
> >
> >
> >
> > *^0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  _
> > **_^<https://twitter.com/xonuk>
> >  <http://www.linkedin.com/company/x-on/products>
> >  <https://www.facebook.com/XonTel> *
> > X-on is a trading name of Storacall Technology Ltd a limited company
> > registered in England and Wales.
> > Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> > The information in this e-mail is confidential and for use by the
> > addressee(s) only. If you are not the intended recipient, please notify
> > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> > message from your computer. If you are not a named addressee you must
> > not use, disclose, disseminate, distribute, copy, print or reply to this
> > email. Views or opinions expressed by an individual
> > within this email may not necessarily reflect the views of X-on or its
> > associated companies. Although X-on routinely screens for viruses,
> > addressees should scan this email and any attachments
> > for viruses. X-on makes no representation or warranty as to the absence
> > of viruses in this email or any attachments.
> >
> >
> >
>
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
> <https://twitter.com/xonuk>
> <http://www.linkedin.com/company/x-on/products>
> <https://www.facebook.com/XonTel>*
>
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email.
> Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |  * *
> <https://twitter.com/xonuk>
> <http://www.linkedin.com/company/x-on/products>
> <https://www.facebook.com/XonTel>*
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email.
> Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>

-- 



*0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   ** 
<https://twitter.com/xonuk>   
<http://www.linkedin.com/company/x-on/products>   
<https://www.facebook.com/XonTel> * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332 0000 and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to